Rendered at 21:31:39 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
lionkor 13 hours ago [-]
Might this be because any kind of genuine pentesting, unless it's explicitly been paid for, is highly illegal in countries like Germany (§ 202c StGB, § 202a StGB, etc.)?
For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.
zelphirkalt 13 hours ago [-]
In Germany we have the completely wrong mindset for such things. Instead of being grateful, all we care about is "whose fault is it" and CYA tactics. And no one wants to be "guilty" or have their incompetence revealed, so suits will do anything they can to avoid that. Somethings serious needs to go wrong first, so that loss of face already happens, before anyone will move. Maybe we need to get hacked by Russia a few more times.
CalRobert 13 hours ago [-]
How is the home of chaos computer club so bad at this....
rf15 13 hours ago [-]
It is only this degree of malice and incompetence that can give rise to something like the CCC.
Kirth 11 hours ago [-]
Yeah it does feel like much tech competence that sprouts in Germany is either sequestered off and penned in, and/or leaves the country.
dmichulke 9 hours ago [-]
There is a kind of naiveté, also at EU level, where people think that once it's a law, bad actors will just fold.
They minds are somehow unable to comprehend that only the good actors will fold and only bad actors will be left.
Other examples are: Firearms possession, supply chain law regarding human rights and child labor.
CalRobert 9 hours ago [-]
I was really excited for GDPR until I realized Europe had no intention of actually enforcing it :-(
abc123abc123 7 hours ago [-]
Actually, southern europe seems to have understood that it can be quite a good business fining US megacorps billions and billions. Northern european countries do very little except symbolic wrist slapping.
CalRobert 6 hours ago [-]
Sure, but there were other provisions like machine-readability of exported data, etc. that could have been really helpful. I should be able to do a one-click export of my Spotify playlists and favourites (the music I like is personal info in my view) in to Qobuz, for instance.
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided"
You still have quite enough people in high places who are direct or indirect beneficiaries of companies that are either Russian or tied to Russia, so nothing will ever happen even then.
tetha 12 hours ago [-]
Yeah.
And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.
But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.
That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.
mapontosevenths 9 hours ago [-]
The mere act of scanning for vulnerability often causes outages.
I once ran a vulnerability scan at an industrial company that completely disabled their employees ability to clock in and out. I didnt believe it had anything to do with my scanner at first, but it ran on a schedule and the scanners schedule matched their outages eaxctly.
Eventually it turned out the timecard system had these IOT badge readers with a poorly written tcp stack. It would ACK every SYN, and worse the half open connections never closed, so during a port scan every port was left open until it exhausted the memory on the little buggers.
My point is... you cant know in advance what damage you'll do with this sort of testing. That's kind of the entire reason we have to actually perform the real world tests instead of assuming or emulating them.
It's also the reason that real world scanning without authorization is probably already a crime in most jurisdictions, whether it's enforced or not.
tetha 9 hours ago [-]
But in a perfect world, the question would be: Is it reasonable to expect an outage by sending a few single TCP packet to a system? Or, were you flooding the system unreasonably?
It is a huge security risk to treat systems as ancient eggshells you must not touch ever. A certain amount of touching has to be reasonable, because that is what foreign actors will do if they need to cause trouble. Apparently you could cause this company major operational harm with a pi zero. Why is that protected by professional ruin and jail time?
fossislife 12 hours ago [-]
As a German I fear the only way I can see one of our government agencies to react upon an external pentesting report is if you threatened to release data from it, anyway (this is not a recommendation, please don't raid my home). I just do not see them fixing even a dangerous bug if a stranger came along and told them to.
breisa 11 hours ago [-]
Thats far from reality. Just use the online form of BSI for disclosure. They contact the affected party for you. This way you optionally can stay anonymous and the vulnerabilities get fixed because BSI appears as the messenger.
lionkor 9 hours ago [-]
Thats great to know, thank you!
voodooEntity 9 hours ago [-]
Word.....
This laws, while i wanne say have a good intention, just do the opposite...
I myself, residing in germany, developed a recon/vuln/scanning tool that im legally forbidden to publish cuz of the laws you just mentioned.
lionkor 9 hours ago [-]
I heard from a friend that you can rent VPSs in pretty much any non-western country with some bitcoin (as long as you do nothing illegal, they don't care). I wouldn't suggest using it to circumvent any laws, but my friend used it for enhanced privacy
voodooEntity 9 hours ago [-]
Well i wouldnt recommend to use btc for the payment to be honest. But ye offshore servers have been a thing for a long time.
Tho i wanted to open source the tool (spend ~10 years developing it) and thats just not an option.
To be fair, most of this stuff could be found with any normal browser. You don't even need browser dev tools. But if you write a simple script to automate any of this... yeah. They can totally get you for doing that. Probably one or the best examples why politicians should not be allowed to pass technical laws they fundamentally can't grasp.
lionkor 13 hours ago [-]
Visiting an admin page is fine, yeah, but even just trying a default password, or having specific cookies set in the browser that look like an attempt to gain access, already clearly violate § 202a and you could be prosecuted, from how I read that law's text.
And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.
jiehong 11 hours ago [-]
It's a good way to ensure that people outside of Germany pentest German sites instead :D
aequitas 14 hours ago [-]
Today we launch SecurityBaseline: monitoring 67.000 governments and 200.000 sites.
Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.
SyneRyder 11 hours ago [-]
Tiny request that you probably can't do anything about - but despite this page being in English, the HTML is incorrectly reporting it as lang="nl-NL" in the first line of the source. There's a few other hreflang="nl" floating around pointing to English pages as well.
(Only noticed because I have a tiny indie search engine that can only index English right now, and the "nl-NL" is causing the page to be misclassified.)
Weird niche bug report aside though - love to see this project, congratulations for working on this. I think it's a great idea.
I'd personally love to see a closer look on government sites that drop cookies before the consent banner has asked permission to do so. I'm not worried about cookies, but if we're going to ignore the consent banner anyway, why waste everyone's time with asking in the first place.
repelsteeltje 14 hours ago [-]
Maybe post this as Show HN? And adjust headline to fit max chars.
aequitas 14 hours ago [-]
Thanks, will do that.
gbkgbk8 13 hours ago [-]
yes
bombcar 9 hours ago [-]
> 3.000 governmental sites use tracking cookies illegally
In the USA the government often excludes itself from privacy and other similar laws, did the EU fail to make that distinction?
0123456789ABCDE 13 hours ago [-]
Q: would you mark google.com with any "high risk" findings?
there are quite a few like this, that on close inspection, are just fine
Stitch4223 11 hours ago [-]
I see some 25 French municipal sites are on "sites.google.com". By default we also import and attribute the main domain google.com to those organizations. That is usually correct, but obviously wrong in this case.
The data was removed, and tomorrow's reports will reflect that.
0123456789ABCDE 10 hours ago [-]
the question is: if `https://www.google.com` were to be included in this analysis, would you expect to see any "high risk" findings?
and the reason i ask is that some of the findings, i have seen, would apply to google.com, yet no one would consider them "high risk", so why do this to other services?
this effort would be better served by raising attention to truly important issues, or defects, than to try to identify as many problems as possible, and for lack of a better word, presenting the results in a away that's unnecessarily dramatic
elric 12 hours ago [-]
Colouring an area red because they don't have DNSSEC enabled on a domain seems excessive.
A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.
duckmysick 11 hours ago [-]
> A nice addition would be to add who is hosting their email.
Thanks for that link! The results are predictably depressing.
Stitch4223 12 hours ago [-]
Not making it red would downplay the "SEC" part in DNSSEC.
We already have some privacy metrics in addition to tracking cookies, and there will be more. All are important at the same time.
elric 12 hours ago [-]
"Important" according to whom? A tracking cookie is trivial to fix (or to automagically disable for the more tech savvy citizens). Email being hosted by an untrusted foreign corporation is way harder to fix and impossible to bypass as a citizen trying to contact their government.
Stitch4223 9 hours ago [-]
The effort required to fix tracking cookies is sometimes astounding, while migrating to another email provider is trivial.
This depends on how well the organization handles change and various complexities. Having great technical staff makes things easier, and throwing money at the problem can also help.
Just to give an anecdote: I've had people crying on the phone because their "solutions provider" could not get TLS to work on their www domain despite spending 5.000 euros or so.
mirashii 11 hours ago [-]
I'd have hoped in 2026 that anyone publishing this type of report would understand that DNSSEC isn't helping anything, and is generally considered to be actively harmful to enable. I'd suggest doing a bit more research and dropping the DNSSEC stuff, or reversing it entirely.
bombcar 9 hours ago [-]
DNSSEC is more likely to self-DoS yourself than protect against an attack, unfortunately.
It is not desirable to have mass adoption of DNSSEC, or to try to incentivize that.
11 hours ago [-]
embedding-shape 12 hours ago [-]
[dead]
rickdeckard 13 hours ago [-]
Great work.
It's fun how these graphs indirectly hint at a cross-section of "e-Gov"/"tech-literacy in politics" per country with those incident-tables.
1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)
2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!)
3. Countries FAR BEHIND in e-government practices rank LOW (...good?)
Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...
nodar86 11 hours ago [-]
At least for Hungary most of these are totally random websites with no connection to the government at all. 4/4 of the "region" websites are very random and all "district" sites seem to be pointing to a single decomissioned/archived site. The other lists I only spot-checked but they contain a mix of government sites and local news sites.
I don't see how such thing could go out in the public calling out government security when they didn't do the bare minimum of checking if the sites they "monitor" are truly governmental sites.
cryo32 13 hours ago [-]
Perhaps surprisingly, we already do this in the UK. Public-facing side of the security services are all over it.
blitzar 11 hours ago [-]
I get emails from the German Federal Office for Information Security (BSI) via hetzner letting me know if I have db ports open etc.
debesyla 13 hours ago [-]
Is there a list of these "goverment" sites anywhere?
I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.)
But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.
Stitch4223 13 hours ago [-]
What we have is published on https://securitybaseline.eu/datasets openly. Some governments publish lists, and they will be incomplete. In the article we point to our most successful approach: sifting through the (partial) zone file with domain owner information. That delivered thousands of sites the Dutch government didn't even know about.
Perhaps a freedom of information request might also work, but that will take a lot of time to write correctly and does not scale across all governments.
vin10 13 hours ago [-]
There should be a metric for sites hosting malicious content!
Might be worth enclosing that URL in quotes or using [dot] in the URL instead, so people don't accidentally click on that "mortal-kombat-2-cs.pdf" file that Europa.EU is hosting.
VirusTotal claims the PDF file is clean, but I don't think I'd fully trust it anyway. If you do find malicious content, could be worth submitting the URLs to VirusTotal so that the domain is flagged by browsers (eg Google SafeBrowsing) and people can't accidentally visit ec.europa.eu domains until it has been cleaned.
embedding-shape 12 hours ago [-]
> people can't accidentally visit ec.europa.eu domains until it has been cleaned
Just to be safe, couldn't we globally disable BGP and internet transit in general in the meantime? In case someone tries to visit it by other means?
SyneRyder 11 hours ago [-]
Oh man, I didn't think of that! You're right, disabling BGP is a better approach.
Although a narrower approach might just be to MITM SSL connections of the general European public. Then you can check if any of those visits are to ec.europa.eu, and either block it outright, or keep a record of people who visited the website. You've already got their IP from the tracking cookies europa.eu drops before asking cookie permission, and you want to make sure you inform them of compromise. It shouldn't be too hard to lookup the citizen's postal address, it's probably in one of those ec.europa.eu databases that was left in a public AWS bucket. [1]
- DNSSEC is not configured
- Few cookies are send and (ALERT!) Google marketing cookie
- Missing ROA
The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order).
I get it, it's aggregator but showing red maps is at leals sensationalists
Seems that results are taken from internet.nl, which has WAY better UI than page posted.
That's a wonderful initiative! I wanted first to complain about Dutch municipalities but looking at the foundation, I see fellow dutch- and belgian-men are already focusing on them!
Neil44 13 hours ago [-]
To be fair it's pretty much the norm with shared and even vps hosting that your cpanel etc will be publicly accessible. Only people who hand-roll their setups will have things firewalled down etc. And if it's a website promoting a local tree planting initiative or whatever is it really a good use of budget to get everything hardened so much.
onion2k 13 hours ago [-]
And if it's a website promoting a local tree planting initiative or whatever is it really a good use of budget to get everything hardened so much.
Given the fact lots of sites like that have Wordpress 'databases' of form submissions full of people's personal data, absolutely definitely emphatically yes.
abbe98 10 hours ago [-]
Are state agencies included for any country? This seems to only include government agencies with their own administrative divisions?
jillesvangurp 13 hours ago [-]
Interesting data set. Would be interesting to repeat the same for SMEs. In my experience, Germany is pretty hopelessly behind on everything except GDPR enforcement. They are kings of that. Must have a cookie screen, apparently. That's why they score so good on that and not much else.
When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to."
Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing.
Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.
ketzu 13 hours ago [-]
> Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much.
In what way is GDPR focused on cookies?
In my experience, developers in online discussions make it seem all about cookies, pretending other ways of tracking don't exist, while the law does not. But it has been a while since I looked into it and I might remember that wrong.
> There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app).
A lot of games provide opt-in screens, as they heavily rely on ad networks.
> If you read the actual law, it barely mention cookies at all
Now I am confused, didn't you just say it was focused on cookies?
jillesvangurp 10 hours ago [-]
No, I said a lot of people are mistakenly focusing on cookies when it comes to GDPR. Including the linked site which checks mainly cookie consent issues with a few websites under the GDPR topic.
egorfine 13 hours ago [-]
> What was interesting is that we had zero such requests before that law came into power
Because these requests would be 100% ignored. And the law gave people the power they wanted.
I'm mentally and legally far from Germany and I'm not a big supporter of GDPR, but this law is indeed a step in the right direction.
_nub3 12 hours ago [-]
Actually Spain leaded on this and had strictest regulations before Germany regulated broader "Neuland" Cookies.
exceptione 11 hours ago [-]
> Germany is pretty hopelessly behind on everything except GDPR enforcement.
Are you sure? I see major outlets in Germany blatantly violating the GDPR by forcing visitors to pay with their privacy or pay with their money. That is not allowed. It is perfectly fine to have a paywall, but you can never have people pay with their privacy.
jillesvangurp 9 hours ago [-]
Are you sure they are in violation? Because it only takes one customer to trigger expensive lawsuits. And there are a lot of very eager and trigger happy lawyers in Germany specializing in that sort of thing. A lot of people make bad assumptions about what is and isn't legal/allowed and a lot of companies have gotten good at finding the grey area of stuff that probably won't get them into trouble.
exceptione 3 hours ago [-]
From a quick check some wrong ones seem to have disappeared, but bild.de is massively confusing right now. It offers
> Um BILD.de kostenfrei nutzen zu können, ist für einige Verarbeitungszwecke Ihre Einwilligung erforderlich. Für andere Verarbeitungszwecke können Sie hier eine Auswahl treffen. Wenn Sie zu allen Verarbeitungszwecken eine Auswahl getroffen haben, können Sie diese speichern. Sie können Ihre Auswahl jederzeit über den Link „Privacy-Manager“ ändern.
That seems in violation of: privacy is not a payment.
EDIT: bild.de offers a fake consent choice screen. They fail to provide a "decline all" next to their "accept all" option, but even if you disable every tracking choice and choose to persist your choices, it does nothing and keeps the blocking cookie wall.
lccerina 13 hours ago [-]
Honestly surprised that Italian municipalities are doing relatively well compared to other countries. Maybe it helped a push from the government to have a shared design for municipal websites (https://github.com/orgs/italia/repositories?q=comuni)
kome 12 hours ago [-]
Italians stay winning as usual... :-)
But for real, Italian public administration digitalization isn’t as bad as people think when compared to other big countries. SPID (an electronic identity system, now deprecated) was years ahead of many other European countries (and easily, the US), and PEC (a certified email standard for official communications established in 2005, that can be used with standard email clients) is still more advanced than the often more complicated and closed systems used in many other places. The Italian standard also deeply influenced the EU standard: https://dl.acm.org/doi/fullHtml/10.1145/3560107.3560256
lccerina 10 hours ago [-]
It's almost as if putting competent people in the right place and with the right budget is the best way to achieve government/public-funded results...
CalRobert 13 hours ago [-]
Cool stuff but odd that Ireland has results for all but 3 counties and one of the ones missing data is Co Dublin...
jamesdelaneyie 12 hours ago [-]
Could be that you have four councils: Dublin City Council, Dun Laoghaire/Rathdown, South Dublin, and Fingal
Stitch4223 13 hours ago [-]
I've added it to the backlog. We're also missing several other regions, but Ireland is the most obvious.
Aerroon 12 hours ago [-]
>3.081 European government sites place tracking cookies without consent.
GDPR was adopted more than a decade ago and our governments still can't do it right, yet they expect everyone else to get it right. Amazing regulation.
13 hours ago [-]
oliviergg 13 hours ago [-]
seems a good idea, but currently down.
aequitas 13 hours ago [-]
slashdotted, dispite preparations :), working on it
cs02rm0 13 hours ago [-]
I hate consent banners more than tracking cookies.
The thing with government stuff is that no one is held accountable. Even people “fired” from doing a lousy job in a place will just be transfered to another department or another government agency. No one really gets fired fired. And when you know nothing happens to your job… there is no incentive to be good at it.
lionkor 13 hours ago [-]
Bot account? It's been 2026 for a while now.
m4tthumphrey 13 hours ago [-]
Came here to say this. Absolutely insane.
Why is phpMyAdmin even still needed/wanted in 2026? It's not exactly user friendly for a developer, let alone an average Gov employee...
spaqin 13 hours ago [-]
Knowing the govt sector, the developers probably got hired 20 years ago and enjoy their stable, chill, even if a bit low pay job. No need to do CV-Driven Development and chase any new trend if the site's running and they're not looking for a new position...
zelphirkalt 13 hours ago [-]
It's what you get, when you scrape the bottom of the barrel with the salaries you are willing to pay. Are you willing to take a 1/3 pay cut for no good reason? You are welcome to work in such positions.
ExoticPearTree 13 hours ago [-]
Because most of the Wordpress shops only know how to work with PHPMyAdmin.
junaru 13 hours ago [-]
Clarify what is "used today" and what features phpmyadmin provided that are "no longer needed". Until then your comment is just a juvenile attack.
rambambram 13 hours ago [-]
Quit the lowkey PHP bashing, please.
m4tthumphrey 13 hours ago [-]
I think (a public) phpMyAdmin in 2026 deserves a good bashing.
(I have been working with PHP for 20 years)
vga1 13 hours ago [-]
Yeah, PHP bashing should be highkey.
nubinetwork 13 hours ago [-]
Can we start using a comma as a thousands separator instead of a period?
reddalo 12 hours ago [-]
Period is the thousands separator and comma is the decimal separator in almost all European countries.
Stitch4223 12 hours ago [-]
We checked this before going live and came to the same conclusion. We also discovered that the official languages of the EU are all 24 languages, but we chose to write the post in English and not AI-translate it.
usrnm 13 hours ago [-]
In most (all?) European countries comma is the decimal separator
usui 12 hours ago [-]
I skimmed https://wikipedia.org/wiki/Decimal_separator but still don't understand. Why does this difference exist? Also, why did the conflict eventually settle into something between full stops and commas? What stopped other symbols from continued usage like bars or underscores?
It seems weird that a system would eventually settle on just full stops and commas, yet not settle on where to put them. If your system is going to converge strongly on two symbols, finish the job!
duckmysick 11 hours ago [-]
> Why does this difference exist?
Same reason why there are different date formats, weeks start on Sundays/Mondays (or Saturdays), long/short scale numbers, drives on left/right, different wall sockets and plugs, different train gauges, and of course metric/imperial.
It's a mix of tradition, conventions, inertia.
chmod775 11 hours ago [-]
Because in English you say "three dot two", whereas in German it is "Drei-Komma-Zwei".
It just reflects the spoken language. And having the unused symbol then be the thousand separator is natural.
usui 10 hours ago [-]
Interesting, I did not know this, but a little bit doubtful. Wouldn't it be the other way around? Explicit spoken language coming from being written that way.
chmod775 10 hours ago [-]
Maybe at some point originally, but now you can't change it. Spoken language resists attempts to shape it by committee, and written language has to begrudgingly follow its lead.
veltas 12 hours ago [-]
Not in e.g. UK.
reddalo 12 hours ago [-]
The UK is sadly not in the European Union and it wasn't included in this study.
For example, I'd be more than happy to pentest some govt websites here in Germany, if the very act of visiting them with a non-standard browser couldn't somehow already be misconstrued as breaking various hacking laws. No thanks! Keep your security vulnerabilities.
They minds are somehow unable to comprehend that only the good actors will fold and only bad actors will be left.
Other examples are: Firearms possession, supply chain law regarding human rights and child labor.
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided"
https://gdpr-library.com/article/20
And I do think that security research should have some regulation about it, but it should be more about responsible handling of the privileged access you gained, or a responsibility to disclose found vulnerabilities in private and/or to a government entity. You know, "If you have gained access to a system, and you saw a button <Turn off cooling pump 2> and you pressed it, you are on the hook for the damages". That is common practice with paid pentesters already.
But we're at a point where a court had do decide if discovering an endpoint on an API without authorization is a "circumvention of a security boundary" or not. Luckily, we now have a ruling that accessing API endpoints without authorization logic is no circumvention of a security boundary, due to a lack of a security boundary like authorization.
That's the level we are at. I don't want to know what happens if foreign nation state actors start acting on this seriously.
I once ran a vulnerability scan at an industrial company that completely disabled their employees ability to clock in and out. I didnt believe it had anything to do with my scanner at first, but it ran on a schedule and the scanners schedule matched their outages eaxctly.
Eventually it turned out the timecard system had these IOT badge readers with a poorly written tcp stack. It would ACK every SYN, and worse the half open connections never closed, so during a port scan every port was left open until it exhausted the memory on the little buggers.
My point is... you cant know in advance what damage you'll do with this sort of testing. That's kind of the entire reason we have to actually perform the real world tests instead of assuming or emulating them.
It's also the reason that real world scanning without authorization is probably already a crime in most jurisdictions, whether it's enforced or not.
It is a huge security risk to treat systems as ancient eggshells you must not touch ever. A certain amount of touching has to be reasonable, because that is what foreign actors will do if they need to cause trouble. Apparently you could cause this company major operational harm with a pi zero. Why is that protected by professional ruin and jail time?
This laws, while i wanne say have a good intention, just do the opposite...
I myself, residing in germany, developed a recon/vuln/scanning tool that im legally forbidden to publish cuz of the laws you just mentioned.
Tho i wanted to open source the tool (spend ~10 years developing it) and thats just not an option.
Don't wanne self advertise here , but for the sake of better understanding if you want to know the details you can read them here: https://blog.laughingman.dev/article/Ishikawa_10_years_of_bu...
And while URL obscurity alone is weak evidence of "special protection" of a resource, I'm sure some legal team would love to try to argue otherwise.
Headlines: 3.000 governmental sites use tracking cookies illegally, over 1.000 database management interfaces are publicly reachable, 99% of governmental email is poorly encrypted.
(Only noticed because I have a tiny indie search engine that can only index English right now, and the "nl-NL" is causing the page to be misclassified.)
Weird niche bug report aside though - love to see this project, congratulations for working on this. I think it's a great idea.
I'd personally love to see a closer look on government sites that drop cookies before the consent banner has asked permission to do so. I'm not worried about cookies, but if we're going to ignore the consent banner anyway, why waste everyone's time with asking in the first place.
In the USA the government often excludes itself from privacy and other similar laws, did the EU fail to make that distinction?
there are quite a few like this, that on close inspection, are just fine
The data was removed, and tomorrow's reports will reflect that.
and the reason i ask is that some of the findings, i have seen, would apply to google.com, yet no one would consider them "high risk", so why do this to other services?
this effort would be better served by raising attention to truly important issues, or defects, than to try to identify as many problems as possible, and for lack of a better word, presenting the results in a away that's unnecessarily dramatic
A nice addition would be to add who is hosting their email. First handful I've looked at are all outlook.com, which seems a much bigger privacy & security risk than not using DNSSEC.
Something like this? https://livenson.github.io/mxmap/
A few countries have those, here's a Github repo of the Swiss one (has a list of forks in there too): https://github.com/davidhuser/mxmap
We already have some privacy metrics in addition to tracking cookies, and there will be more. All are important at the same time.
This depends on how well the organization handles change and various complexities. Having great technical staff makes things easier, and throwing money at the problem can also help.
Just to give an anecdote: I've had people crying on the phone because their "solutions provider" could not get TLS to work on their www domain despite spending 5.000 euros or so.
1. Countries with strong e-government and HIGH understanding of its requirements rank LOW (good!)
2. Countries with evolving e-government practices and LOW understanding of the implications rank HIGH (bad!)
3. Countries FAR BEHIND in e-government practices rank LOW (...good?)
Goes to show that globally we need more tech-literate people on the forefront of politics, so that the proper priorities are also set in execution...
I don't see how such thing could go out in the public calling out government security when they didn't do the bare minimum of checking if the sites they "monitor" are truly governmental sites.
I have been working on similar project, focusing on lithuanian-only "goverment" sites, but it's not perfectly obvious how to recognise public vs private websites, as at least half of those are managed privatelly, used publically. (Mostly due that was cheaper and/or because lack of requirements and/or other weird situations.)
But yeah, I can confirm that stats are same-ish in Lithuanian web too. I just havent finished gathering data yet, it will take a while.
Perhaps a freedom of information request might also work, but that will take a lot of time to write correctly and does not scale across all governments.
https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf
VirusTotal claims the PDF file is clean, but I don't think I'd fully trust it anyway. If you do find malicious content, could be worth submitting the URLs to VirusTotal so that the domain is flagged by browsers (eg Google SafeBrowsing) and people can't accidentally visit ec.europa.eu domains until it has been cleaned.
Just to be safe, couldn't we globally disable BGP and internet transit in general in the meantime? In case someone tries to visit it by other means?
Although a narrower approach might just be to MITM SSL connections of the general European public. Then you can check if any of those visits are to ec.europa.eu, and either block it outright, or keep a record of people who visited the website. You've already got their IP from the tracking cookies europa.eu drops before asking cookie permission, and you want to make sure you inform them of compromise. It shouldn't be too hard to lookup the citizen's postal address, it's probably in one of those ec.europa.eu databases that was left in a public AWS bucket. [1]
[1] https://www.bleepingcomputer.com/news/security/european-comm...
It has 3 HIGH RISK issues because
The thing though is that this is purely informational website (that's defunct under Safari :D) and all actual interaction goes through specialized portal (e.g. gov.pl, for which only complain is cipher order).I get it, it's aggregator but showing red maps is at leals sensationalists
Seems that results are taken from internet.nl, which has WAY better UI than page posted.
https://batch.internet.nl/site/um.warszawa.pl/17768032/#
Given the fact lots of sites like that have Wordpress 'databases' of form submissions full of people's personal data, absolutely definitely emphatically yes.
When the GDPR became active eight or so years ago, we got a few GDPR related requests to our service. Basically strongly worded requests to remove their data and account, which we of course honored. All of these came from Germany. Nobody else really cared. But it was kind of curious quickly that happened. What was interesting is that we had zero such requests before that law came into power. And it's not like we were misbehaving or would have denied such a request. This was more a matter of principle: "I now finally have the right to ask this, so I'm going to."
Germany is a big reason GDPR got so complicated and why, hopefully soon, it will be updated to not be fixated on just cookies so much. It never really was about the cookies but about data handling and sharing.
Any mobile app you install might track you without setting cookies and you can't install an ad blocker in those either. That's why Google loves apps so much. You don't actually need cookies for those. There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app). But sharing personal data with a third party provider is still problematic under GDPR. If you read the actual law, it barely mention cookies at all. The "must have consent screen for cookies" is just the common (mis)-interpretation for laymen; because it's the most visible impact that this has had on them. When it comes to date removal and other requests, it's less about features you have and more about processes you use for complying with legal requests. That can be a person answering emails and doing things manually. Doesn't scale if you get a lot of requests but it would be fine legally.
In what way is GDPR focused on cookies?
In my experience, developers in online discussions make it seem all about cookies, pretending other ways of tracking don't exist, while the law does not. But it has been a while since I looked into it and I might remember that wrong.
> There usually is no cookie screen when you install one usually (unless it's a web app packaged up as an app).
A lot of games provide opt-in screens, as they heavily rely on ad networks.
> If you read the actual law, it barely mention cookies at all
Now I am confused, didn't you just say it was focused on cookies?
Because these requests would be 100% ignored. And the law gave people the power they wanted.
I'm mentally and legally far from Germany and I'm not a big supporter of GDPR, but this law is indeed a step in the right direction.
EDIT: bild.de offers a fake consent choice screen. They fail to provide a "decline all" next to their "accept all" option, but even if you disable every tracking choice and choose to persist your choices, it does nothing and keeps the blocking cookie wall.
But for real, Italian public administration digitalization isn’t as bad as people think when compared to other big countries. SPID (an electronic identity system, now deprecated) was years ahead of many other European countries (and easily, the US), and PEC (a certified email standard for official communications established in 2005, that can be used with standard email clients) is still more advanced than the often more complicated and closed systems used in many other places. The Italian standard also deeply influenced the EU standard: https://dl.acm.org/doi/fullHtml/10.1145/3560107.3560256
GDPR was adopted more than a decade ago and our governments still can't do it right, yet they expect everyone else to get it right. Amazing regulation.
The thing with government stuff is that no one is held accountable. Even people “fired” from doing a lousy job in a place will just be transfered to another department or another government agency. No one really gets fired fired. And when you know nothing happens to your job… there is no incentive to be good at it.
Why is phpMyAdmin even still needed/wanted in 2026? It's not exactly user friendly for a developer, let alone an average Gov employee...
(I have been working with PHP for 20 years)
It seems weird that a system would eventually settle on just full stops and commas, yet not settle on where to put them. If your system is going to converge strongly on two symbols, finish the job!
Same reason why there are different date formats, weeks start on Sundays/Mondays (or Saturdays), long/short scale numbers, drives on left/right, different wall sockets and plugs, different train gauges, and of course metric/imperial.
It's a mix of tradition, conventions, inertia.
It just reflects the spoken language. And having the unused symbol then be the thousand separator is natural.
https://www.unicode.org/cldr/charts/48/by_type/index.html